Add a bookmark to get started

16 August 20234 minute read

New Czech cybersecurity regulation: What you need to know

Does your business produce computers or other electronic or electrical equipment? Maybe you make machinery and equipment, pharmaceuticals, medical devices or food? Do you have 50 or more employees? Then your company is likely to be subject to the new cybersecurity regulations. The same applies if your activities are in the chemical industry or you provide a variety of digital services – for instance cloud computing, data centre services or online marketplaces.

If your company is part of a group of companies, employees of other companies in the group, even outside the Czech Republic, will also be counted.

New European Regulation

The new cybersecurity legislation will be based on the EU Directive on measures for a high common level of cybersecurity across the Union (the NIS2 Directive) adopted at the end of 2022.

The main change compared to the current Cybersecurity Act is the fundamental expansion of the range and number of companies the new legislation applies to. It’s estimated that instead of the current 150 or so businesses, as many as 6,000 companies will be affected. For them, this will be a regulatory change comparable to the introduction of the GDPR regime five years ago. A fundamental change is also the threat of penalties potentially amounting to millions of euros in cases where a regulated person violates the new rules.

The regulation will also affect many other sectors that are important for the operation of the national economy and society – for example, almost all energy, telecommunications, water and waste management, a range of activities in transport, financial services, healthcare and research and development.

Regulated businesses will have to:

  • once they determine that they’re covered by the new regulation, register as regulated service providers with the National Cyber and Information Security Authority (NÚKIB);
  • identify assets (ie information and data, processes, personnel, and physical assets) that are critical from a cybersecurity perspective;
  • implement appropriate organisational measures, eg establish a security management system and draft security documentation, establish security roles, operate risk, asset and supplier management;
  • implement appropriate technical measures, including access control, detection of cybersecurity events, use of cryptographic algorithms;
  • identify, resolve and report cybersecurity incidents;
  • be subject to regular audits by an authorised inspector (under contract with them) or state control by NÚKIB. A private individual with relevant education and practice in the field of cybersecurity who passes an exam with NÚKIB and is subsequently registered as an inspector may become an authorised inspector. The reasons for introducing this concept are capacity-related. It will not be within the power of NÚKIB to monitor all regulated persons.
Current situation in the Czech Republic

At the moment, relevant legislation is still under preparation in the Czech Republic. NÚKIB recently published a draft of a new law on cybersecurity and its implementing regulations on its website, which are intended to completely replace the existing legislation. The draft law, which takes into account a number of comments from the expert public, is currently undergoing an inter-ministerial comment procedure and is not expected to be read in the Czech Parliament until the summer of 2023. The new regulation is expected to come into force in the end of autumn or at the beginning of the winter next year.

Does it affect me and when?

It’s a good idea to consider in advance whether or not the new regulation will apply to your company. It’s practical to factor in the increased costs of NIS2 implementation, staffing and technical support for the whole process, and possibly also for external expert advisors who can help with this extremely important agenda. So the question to be answered is what part of the new responsibilities is your company able to provide in the long term with its existing in-house teams and where do you need to increase capacity, or what processes can be reasonably outsourced?